Why does ssh-host-config create two users in Cygwin on Windows 8.1?
In trying to resolve some issues with using Cygwin + SSH on Windows 8.1, I'd like to know why the ssh-host-config script creates two new accounts configuring OpenSSH from scratch? (Is this necessary?)
The two accounts are: cyg_server and sshd, when using default selection + privilege escalation and service installation. I understand the first one is used only for starting the Cygwin SSHd service, but I don't understanding the function of the second one. I searched the Cygwin archives and the only developer explanation was "because it was designed to do so." It's also recommended against using these for actual login.
Here's my installation:
-----------------------------------------------------------
ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA ED25519
*** Info: Creating default /etc/ssh_config file
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges. Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires. You need to have or to create a privileged
*** Info: account. This script will help you do so.
*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
*** Info: or later. On these systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).
*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.
*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.
*** Info: No privileged account could be found.
*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Do you want to use a different name? (yes/no) no
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server. Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:
*** Info: User 'cyg_server' has been created with password 'XXXXXXXXXX'.
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.
*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions correctly. [Similar restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].
*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account. To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically
*** Info: after the next reboot.
*** Info: Host configuration finished. Have fun!
-----------------------------------------------------------
In addition, 'cyg_server' is a visible account, that can be used to for Windows login, but 'sshd' seem hidden. So I'm left with the conclusion I'll have to add yet another 3rd account to be able to use SSH properly, which seem rather crazy!
EDIT-1: Not only that, the sshd account also has a password expiration date set 40 days from installation and has a password (according to WMIC). (I was never asked to entered a password for this account, during ssh setup.)
Doing: wmic useraccount get AccountType,...,Status:
AccountType Disabled Lockout Name PasswordChangeable PasswordExpires PasswordRequired Status
512 FALSE FALSE cyg_server TRUE FALSE TRUE OK
512 TRUE FALSE sshd TRUE TRUE TRUE Degraded
and net user sshd:
User name sshd
Full Name sshd privsep
Comment
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never
Password last set 2014-03-01 23:20:19
Password expires 2014-04-12 23:20:19
Password changeable 2014-03-01 23:20:19
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory C:\cygwin64\var\empty
Last logon Never
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
So this opens two more questions about this:
- What is the password set and why was the user not informed about this?
- Why does this password have an expiration date?
EDIT-2: Not being able to get through to the Cygwin developer list, I had to do further investigation on my own. So far I don't have an answer to question 1, but there are several other issues with the ssh-host-config script used for setup. Bottom line is, that you can always remove both sshd & cyg_server accounts, and setup one proper admin account using their settings as reference.
Question 2: Windows 8.1 has a default password expiration set to 42 days. This has to be either changed or disabled, using normal Windows tools (UI, WMIC, net user, etc)
Update 2019: This answer and question is obsolete. See Bill_Stewart's answer.
From man 5 sshd_config
UsePrivilegeSeparation
Specifies whether sshd separates privileges by creating an
unprivileged child process to deal with incoming network traffic.
After successful authentication, another process will be created
that has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege escalation by con-
taining any corruption within the unprivileged processes. The
default is "yes".
So sshd requires two types of accounts:
- One with the ability to
setuid. - One unprivileged account.
The setup script explains that the usual SYSTEM account doesn't have setuid privilege, thus the need for the additional privileged account.
As for why ssh-host-config creates two user accounts is mostly answered by Dan. More on why a separate account is needed to setuid can be found here, it's a complicated process.
As for your first sub-question, I believe it's defaults, too, like the password expiry - in /usr/share/csih/cygwin-service-installation-helper, used by ssh-host-config, the user is created (using the Windows net command) like this, where ${unpriv_user} is the name, like sshd, you selected, and ${dos_var_empty} is the Windows/DOS style path to /var/empty:
net user "${unpriv_user}" /add /fullname:"${unpriv_user} privsep" \
"/homedir:${dos_var_empty}" /active:no
The documentation by Microsoft says that the default value for /passwordreq, if a password is required, is yes, and it seems that Windows then assigns some default password (probably because a password isn't specified, maybe in particular because /active:no).
And for your second sub-question, like you said in your second edit, the default, at least for Windows 8.1 Pro, seems to be a password expiry after 42 days, although it's certainly not enabled on my account OR the new cyg_server account. This is probably because of the same combination - cyg_server specifies a password and is active, but sshd doesn't specify a password and isn't active (perhaps this is to force a password being assigned if/when the account is activated). If you want to know the exact details, I'd probably try creating more similar accounts with the expiry off/specifying the password and seeing what happens.
Original Answer
The separate disabled sshd account is actually not used in Cygwin (with one exception; see below). I asked about this on the Cygwin mailing list:
Is the sshd disabled user account still required?
Corinna Vinschen (Cygwin maintainer) responded with the following:
No, actually it isn't. These days the sshd server checks if the the privsep chrrot [sic] environment should be used and that the process is started under "root:root". This never matches under Cygwin so we could drop the sshd user requirement.
(See https://cygwin.com/ml/cygwin/2019-01/msg00120.html)
Update Regarding sftp-only
The above is correct in that the sshd account is not strictly required. The only time you will still need it is if you want to use the ChrootDirectory setting in sshd_config to restrict an account to SFTP only.
FWIW, I created a package that provides an easy-to-use installer that configures the Cygwin version of OpenSSH (and a couple of other tools, including rsync). It's on GitHub if anyone is interested:
https://github.com/Bill-Stewart/CygSSH
The documentation in the package describes the circumstances in which the sshd account is used.